The EU Cookie Law

Posted: 9th May 2012

Time to read: 6 minutes

In May 2011, EU legislation changed its requirements about the use of cookies* by business websites. All business websites based in European countries must now gain explicit permission from the user before dropping non-essential cookies on their computer / device.) (Source: Guidance on the rules on use of cookies and similar technologies)

When does this come into effect?

The Information Commissioner’s Office (ICO), who is implementing this legislation in the UK, has given one year’s grace for businesses to make the necessary changes. This year ends on 26th May 2012. Not long.

Hang on - what on earth are cookies?

Cookies are small text files that the web browser places on your computer on behalf of the website you are using. They are used to store small amounts of information about your activity on a website.

Some key examples are:

Google Analytics uses cookies to track traffic and monitor site activity which helps businesses to give a better user experience.

Businesses selling products or services online have shopping carts which use cookies to remember what’s in them.

Websites that need to remember your details so you don't have to constantly input information (such as preferences, name or email address) use cookies to do this job.

Advertisers use cookies to make adverts more specific to the user.

Some websites, such as online banks, use cookies to remember how long you’ve been logged in so that they can automatically log you out to keep your account secure.

*The law extends to all forms of local storage, but cookies are by far the most common form and the one the legislation is primarily targeting.

{pagebreak}

So what’s the implication for your website?

To be compliant, every site will have to ask a user's explicit permission before it is allowed to place a non-essential cookie on a user’s computer. The understanding of non-essential is a little ambiguous, but is generally taken to mean every cookie with only two exceptions:

Load-balancing cookies help the server to give the user an improved web experience by allocating web resources more effectively.

To obtain permission a site is likely to use a pop-up screen that will ask the user for permission. If the user consents, a cookie will be used to remember this preference and also allow other cookies to be used. If consent is not given or is not answered either way, no cookies will be allowed. This means that the user's preference will not be stored and so the question will pop up on every single page.

In other words, until permission is given, the website will keep asking the user until they say yes… or, more likely, leave the site. The ICO themselves found that given the choice, 90% of users will not give consent to use of cookies. We think this is probably because most users do not understand what they are and how they can benefit their user experience.

Is this really going to happen? What if we just ignore it?

Non-compliance with this law carries a £500,000 fine.

Most industry folks think that this will be unenforceable. Google Analytics is a service that is entirely dependent on cookies and is installed on 90% of all websites. That’s a lot of potential legal action about to happen!

However, a spokesperson for the ICO has said that they will take various factors into consideration before they prosecute a website owner. (Source: http://econsultancy.com). The biggest concerns are when cookies are used to gather information that is then used for marketing purposes.

Also, think about how many other websites you’ve seen recently that have asked for your consent to store a cookie. We'd be surprised if you’ve come across any. That’s a lot of non-compliant websites out there that appear to be doing nothing about this law.

Virgin and BT are the only sites we have seen that are used specifically as examples of sites that do ask permission. But when they do this they have already dropped cookies onto your computer. Even after you explicitly disallow cookies they continue to drop more cookies!

Deciding not to comply involves no additional work as no changes need to be made to your website. But this does mean your site is technically non-compliant and therefore breaking both UK and EU law.

{pagebreak}

So what are our options?

At the very least, we advise a privacy policy for all websites. This involves conducting an audit of cookies used and then drafting a page that explains in plain English what these cookies are and what is being done with them. You can read Moogaloo’s privacy policy here. This will show intent to comply should the ICO initiate legal action.

We can conduct a full audit of your website’s cookie usage and draft a tailored privacy policy.

To achieve full compliance we would need to do more work.

The other option is to hold off and see what happens come the deadline. General industry opinion is that nothing significant will come of this legislation. If there is a rise in legal action then there are developers who are already thinking about what they can create to make upgrading simpler and more cost effective.

We cannot tell you what to do. But we strongly recommend you ensure you have a privacy policy in place within your website to show good intention.

Unseen and unknown costs

We think there is a far greater, intangible cost to implementing the full cookie consent. As noted above, these fully compliant sites will now have pop-ups that greet users when they arrive at a site. The user then has the option to allow or not allow cookies on the site. If the user gives consent then we hope it will not have a large effect.

But the 90% who are likely not to give consent will probably start to experience frustration at their user experience. We think this will lead to a significant drop in traffic, enquiries and sales. It will also mean that Google Analytics will be ineffective.

Further information:

More information on the law in general can be found in this blog post.

Our second blog contains a fairly long discussion on the law and possible solutions.

We would be happy to talk further with you about this and to answer any questions you may have. Remember, the deadline is 26th May 2012 so you have less than one month to implement your privacy policy.